Hi,
I have three slightly different queries on the same data set.
(1)
general_attribute="foo" special_attribute="A" | timechart span="1d" dc(user)
(2)
general_attribute="foo" special_attribute="B" | timechart span="1d" dc(user)
(3)
general_attribute="foo" special_attribute="C" | timechart span="1d" dc(user)
I would like to see all three of them in one chart. E.g a bar chart with 3 bars per day.
Is this possible with Splunk?
Thanks,
Lars
Sure.
general_attribute="foo" (special_attribute="A" OR special_attribute="B" OR special_attribute="C") | timechart span="1d" dc(user) by special_attribute
Common visualizations for this are (stacked) columns, (stacked) area, or line charts depending on the meaning of the data and the viewer.
Sure.
general_attribute="foo" (special_attribute="A" OR special_attribute="B" OR special_attribute="C") | timechart span="1d" dc(user) by special_attribute
Common visualizations for this are (stacked) columns, (stacked) area, or line charts depending on the meaning of the data and the viewer.
Works great, thank you!!